Lucene search
K

16 matches found

Positive Technologies
Positive Technologies
added yesterday4 views

PT-2026-56297

Name of the Vulnerable Software and Affected Versions better-auth versions prior to 1.6.11 Description The legacy oidcProvider and mcp plugins expose an OAuth 2.0 token endpoint that fails to authenticate confidential clients during the refresh token grant. The system authenticates requests based...

9.1CVSS5.9AI score0.00013EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/19 10:52 a.m.14 views

CVE-2026-37979

A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect OIDC token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other...

6.5CVSS5.8AI score0.00366EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/05/19 12:0 a.m.9 views

Keycloak 访问控制错误漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a security vulnerability related to access control. This vulnerability stems from an access control flaw within the OpenID Connect token, allowing confidential clients to bypass audience...

6.5CVSS5.8AI score0.00366EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2025/08/21 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2024-22258

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for...

6.1CVSS6.4AI score0.00522EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/05/23 9:54 a.m.7 views

CVE-2024-22258

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

6.1CVSS6.9AI score0.00522EPSS
Exploits0References1
Veracode
Veracode
added 2024/03/21 7:9 a.m.25 views

PKCE Downgrade Attack

spring-security-oauth2-authorization-server is vulnerable to PKCE Downgrade. The vulnerability is due to improper handling of PKCE authorization when a Confidential Client requests an Authorization Code Grant. Note that this vulnerability only applies to Confidential Clients, Public Clients are...

6.1CVSS6.9AI score0.00522EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2024/03/20 4:15 a.m.32 views

CVE-2024-22258

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

6.1CVSS6.3AI score0.00522EPSS
Exploits0References1
UbuntuCve
UbuntuCve
added 2024/03/20 4:15 a.m.30 views

CVE-2024-22258

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

6.1CVSS6.4AI score0.00522EPSS
Exploits0References2
OSV
OSV
added 2024/03/20 4:15 a.m.2 views

UBUNTU-CVE-2024-22258

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

6.1CVSS5.8AI score0.00522EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2024/03/20 3:58 a.m.20 views

CVE-2024-22258 CVE-2024-22258: PKCE Downgrade in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

6.1CVSS6.9AI score0.00522EPSS
Exploits0References1
CVE
CVE
added 2024/03/20 3:58 a.m.74 views

CVE-2024-22258

CVE-2024-22258 affects Spring Authorization Server versions 1.0.0–1.0.5, 1.1.0–1.1.5, and 1.2.0–1.2.2 (and older unsupported) where confidential clients using PKCE with the Authorization Code Grant can be downgraded, potentially bypassing security restrictions. Public Clients using PKCE are not v...

6.1CVSS6.3AI score0.00522EPSS
Exploits0References1
Cvelist
Cvelist
added 2024/03/20 3:58 a.m.36 views

CVE-2024-22258 CVE-2024-22258: PKCE Downgrade in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

6.1CVSS6.5AI score0.00522EPSS
Exploits0References1
Spring Security Advisories
Spring Security Advisories
added 2024/03/19 12:0 a.m.7 views

PKCE Downgrade in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

6.1CVSS6.4AI score0.00522EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2024/03/19 12:0 a.m.4 views

PT-2024-19292

Name of the Vulnerable Software and Affected Versions Spring Authorization Server versions 1.0.0 through 1.0.5 Spring Authorization Server versions 1.1.0 through 1.1.5 Spring Authorization Server versions 1.2.0 through 1.2.2 Spring Authorization Server older unsupported versions Description The...

6.1CVSS6.4AI score0.00522EPSS
Exploits0References12
OSV
OSV
added 2022/01/05 5:12 p.m.4 views

DRUPAL-CONTRIB-2022-002

This module enables you to implement OAuth 2.0 authentication for Drupal. The module doesn't sufficiently verify client secret keys for "confidential" OAuth 2.0 clients when using certain grant types. The token refresh and client credentials grants are not affected. This vulnerability is mitigate...

6.3AI score
Exploits0References1
RubySec
RubySec
added 2016/08/18 12:0 a.m.24 views

Doorkeeper gem does not revoke tokens & uses wrong auth/auth method

Doorkeeper failed to implement OAuth 2.0 Token Revocation RFC 7009 in the following ways: 1. Public clients making valid, unauthenticated calls to revoke a token would not have their token revoked 2. Requests were not properly authenticating the client credentials but were, instead, looking at th...

9.1CVSS1AI score0.04685EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder